CVE-2026-43334
Description
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: SMP: force responder MITM requirements before building the pairing response
smp_cmd_pairing_req() currently builds the pairing response from the initiator auth_req before enforcing the local BT_SECURITY_HIGH requirement. If the initiator omits SMP_AUTH_MITM, the response can also omit it even though the local side still requires MITM.
tk_request() then sees an auth value without SMP_AUTH_MITM and may select JUST_CFM, making method selection inconsistent with the pairing policy the responder already enforces.
When the local side requires HIGH security, first verify that MITM can be achieved from the IO capabilities and then force SMP_AUTH_MITM in the response in both rsp.auth_req and auth. This keeps the responder auth bits and later method selection aligned.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Linux kernel Bluetooth SMP pairing response may omit MITM flag, allowing weak security even when HIGH security is required.
Vulnerability
In the Linux kernel's Bluetooth subsystem, the SMP (Security Manager Protocol) pairing handshake has a logic flaw in smp_cmd_pairing_req(). The responder builds the pairing response using the initiator's auth_req before enforcing its own local BT_SECURITY_HIGH requirement. If the initiator does not include the SMP_AUTH_MITM flag, the responder's response may also omit it, even though the local side still requires MITM protection [1].
Exploitation
An attacker within Bluetooth range (unauthenticated, pairing phase) can exploit this by initiating a pairing request without the MITM flag. The vulnerable responder may then generate a response lacking MITM, leading to an inconsistent security policy. No authentication is needed initially, as the flaw occurs during the pairing setup before any keys are exchanged [1].
Impact
This inconsistency allows the attacker to downgrade the security method, potentially bypassing MITM protection during pairing. The method selection in tk_request() may choose JUST_CFM (just works) instead of requiring user confirmation, enabling a passive eavesdropper to complete pairing without detection. The result is weaker bonding than intended, exposing subsequent encrypted connections to MITM attacks [1].
Mitigation
The vulnerability is fixed in the Linux kernel stable repository by commit d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7. The fix ensures that when the local side requires HIGH security, MITM capability is verified from IO capabilities and the SMP_AUTH_MITM flag is forced into the response before building it. Users are advised to update their kernels to include this patch [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- git.kernel.org/stable/c/01bb4045d2306c266178f49ce0c3576d237a3040nvdPatch
- git.kernel.org/stable/c/425a22c5373d4e1b46492ab869074ebeeade61f3nvdPatch
- git.kernel.org/stable/c/7ab69426e7ecbd18a222ee2ec87ca612d30197d7nvdPatch
- git.kernel.org/stable/c/91649c02c1baaa18cedf7fb425fa1f0f852c8183nvdPatch
- git.kernel.org/stable/c/c8ff0ca6508535bccabd81c5c9dcc63de8a3d4fbnvdPatch
- git.kernel.org/stable/c/d05111bfe37bfd8bd4d2dfe6675d6bdeef43f7c7nvdPatch
- git.kernel.org/stable/c/ec17efb1ef91506cfd17a77692eaf4bbacb520eanvdPatch
- git.kernel.org/stable/c/fa14e0e19820b1bbdb42185c9c4efa950bcffef9nvdPatch
News mentions
0No linked articles in our index yet.